Driving on the road


I heard the letters G, D, P and R together for the first time in April 2017 at a Breakfast Briefing that the Business School organised about the DVLA’s digital strategy. After sharing the progress that it has made towards reaching 100% of its services being offered digitally, the DVLA’s Service Manager then turned to some of the unknowns and challenges that lay ahead – challenges such as ‘GDPR’. He then said something along the lines of ‘at this stage, we don’t even know if we’ll be able to contact people to remind them that their licence is about to expire’.

I was shocked by this statement: how on earth could these four letters mean that you weren’t able to remind customers that they needed to renew their licence?! After the event, I immediately Googled GDPR and made a mental note that if I was unaware of this law and its potential implication, lots of other people wouldn’t be aware either, and that I should seek an expert to come and talk to our Business community about it.

The Business School has a great relationship with the law firm Hugh James and so I asked one of its team, Helen Iles (who now has her own consultancy) to deliver a session for us on 27th July 2017 that outlined the requirements of the regulation and what people needed to do, quickly, to make their businesses compliant.  You can watch the slides and listen to the recording here. Helen begins at 1.45 mins and over the course of an hour does a fantastic job of explaining everything, far better than I ever could.  So for the sake of this blog, I just thought I’d reflect on the three key messages that I took from the session, which give an insight into how Executive Education is approaching the issue.

  1. That it is perfectly reasonable to contact people on your database if there is a legitimate business requirement to do so. The DVLA therefore surely can contact people to let them know that they need to renew their licence. If I need to discuss a course with a client sponsor who has already confirmed their contract, I can of course do this. I do not have to ask their permission to email them.
  2. When it comes to marketing and promotional activity however, more care does have to be taken. A ‘business card in a bucket’ competition is a good reference point here. If you ask people to put their business card into a prize draw to win a bottle of champagne, unless you make it explicitly clear that you are asking them to provide their contact details to enter the competition, and enter your marketing database, and have evidence that everyone is aware of both intents, you are in breach of GDPR. As a very external-facing function of the School, this level of ‘commitment to consent’ has many different implications for us. We are now ensuring that the right consent tick boxes are in place on our marketing material and that all of our data is held extremely securely.
  3. Declaring a data breach is critically important. Failure to do so is what exposes individuals and organisations to the hefty fines. If a breach or inappropriate data share occurs, we must declare it FAST, and drastically limit the damage done.

These are my personal reflections on the session that Helen delivered – you will obviously need to fully explore the implications of GDPR for your own business. However, as a specialist in improvement, I like to look for the positive effects of any such ‘imposed change’ in order to make those changes more palatable. To me, GDPR is affording us the opportunity to think much more carefully about how we communicate with our customers. This is a good thing.  We have to be exceptionally clear about our offering and in no way misrepresent what we are asking of them. Trust is an essential part of great relationships with customers and they mustn’t feel that we are stepping over any kind of line with them in terms of how they thought that they were going to talk to us. This is just good business practice – GDPR enshrines this in law.

In terms of reporting data breaches, this is where excellent leadership and positive organisational cultures come into play. To meet the needs of GDPR, employees will need to feel empowered enough and confident enough that they will not face serious, unjustifiable reprisal when putting up their hands to declare a data breach.  If we are working within cultures of fear and accusation, the likelihood that people will declare problems is very slim. I must be confident that my team first understands GDPR and then feels able to talk to me openly and quickly about any issues that might arise in the course of work.

There is no doubt that meeting the GDPR is going pose many challenges to business. I am not trying to detract from this fact and I encourage organisations to engage with experts in this area to ensure that they are compliant, but GDPR does pose some opportunities to pursue greatly improved business practice.

One last thought… if you look at GDPR from your own personal perspective as opposed to that of your business, you agree with every single part of it.

Sarah Lethbridge

Author: Sarah Lethbridge

Sarah Lethbridge is the Director of Executive Education at Cardiff Business School. Her role is to work with external organisations to design programmes of learning which employ the academic expertise of the Business School.

Sarah joined the Business School’s Lean Enterprise Research Centre in 2005. Since that time, she has worked on numerous lean projects in hospitals, universities and public and private services.

She has worked with the Ministry of Justice’s Lean Academy, the Value for Money team in the Home Office, Nestle, Legal and General and Principality Building Society to ensure that organisations approach lean in a holistic, sustainable way.